So I get an email (yes, I subscribe to it) from Ad Age pointing me to AT&T Ridding Some Retail Stores of Cash Register, Counters and Other Clutter ‘Warmer’ Shopping Experience Includes Orange Coloring, Wood Paneling, Demos, by John McDermott. I read it and decide to make a comment under it. I’ve done this before, so I don’t expect problems. I write it and go to log in. That gets me this:
Note that it says “Welcome back, Doc” under “Login with your Social Identity.” So I click on that, get to a page with a “Sign in with Twitter” button, click on the button and then find myself on this popover window:
Note that is says “we were unable to match the email address for your social network and AdAge.com accounts.” In fact I am logged in with Twitter, I receive emails from AdAge at the same address I have associated with Twitter, and I don’t feel like using a different “social identity.” So I fill the form out, and another little pink word balloon appears, truncated by the top of the window:
When I click on the “here,” it sends me back to the first login page. There I fill out what two different browsers (deep in the prefs, where they keep this info) tell me is my login/password for AdAge.com. Then I get this:
I think, wtf is that error doing over on the social side of this thing? Can’t think of an answer, so I click on “Forgot UserID/Password” enter my email address twice, as it requires, and get promised an email that will recall my login details.
Many minutes later I get an email confirming my email address. Alas the password is a different link. So go to I click on that. (Using the present tense because I am doing this in real time.) But the session is lost. So I click on another link, go to an unwanted place at AdAge, click on the back button, and get this:
Click on “less” and I get this:
Click on “more” and I get the less thing again. Anyway, a dead end.
So now I go back to https://adage.com/register, and start entering the fields again. This time I get a red pop-out balloon that says “This address is already taken. Forgot your password?” So I click on the link and get to a window where I have to enter my email address again. I do that and it tells me “Your password has been sent to your e-mail address”. It’s now 10:22. I first saved a draft of this post at 9:07. I’ve been doing other things (e.g. making breakfast and coffee), but you can see this is taking awhile.
Okay, so now I have the email, which tells me my password. It’s one I don’t recognize at all. I’m guessing it’s a new one. So I go back to a login page, enter my email address and the password they gave me and: voila! I’m logged in. It is now 10:29.
The answer is simple: we’ve given all responsibility for relationship to the server and left the client as a purely dependent variable. While the formal name for this model is client-server, I prefer calf-cow:
The sites are the servers, and our browsers are the clients, suckling the servers’ teats for the milk of “content” and cookies to keep track of us.
It has blown for eighteen years.
The server side can’t fix it, as long as relationship is entirely their responsibility. What we get from that are:
- Awful gauntlets such as the one I just went through — and kluges such as “social login“, by which we trade security for convenience. Especially with Facebook. (The only reason I attempted to use Twitter in this case was that AdAge appeared to remember me that way. Turns out it barely remembered me at all.)
- Different kluges with every single website and Web service, each a silo. All of those silos think they get “scale” with their thousands or millions of users and customers. But you get the opposite, and it only gets worse with every site you add to your roster of logins and passwords.
- Huge burdens on servers and personnel who need to create and manage easily-broken systems such as AdAge’s.
We can only fix this thing from the client side. It’s simple as that. We’re the ones that need scale. We’re the ones that need our own simple and singular ways of relating to others on the Web and the Net.
Hint: we won’t be able to do it through any silo’d service. We can prototype with those, but they are not the full answer. They just answer the silo problem with yet another silo.
Working one angle toward this simple goal-state (which, after all these years in the calf-cow corral, looks like nirvana) are Abine, Dashlane, MySocialCloud and Privowny, each of which provide ways not only to manage many passwords and logins, but (in some cases) to generate unique email addresses and passwords for different sites, if you like. Far as I know, all of them are also substitutable, meaning that you can pull all your data out and use it for yourself or with another service. (Many other companies offering related services are also listed here among VRM developers.)
But, hey: if we’re leaving the corral,why should we need logins and passwords at all? If you and a site or service truly know each other, why should you both go through the rigamarole of logging in all the time?
There are a zillion good security answers to that question, but they are all coming from inside the same box (or corral) we’ve been in for the duration.
It’s time to think and work outside that box.